b'D-2010-005                                November 3, 2009\n\n\n\n\n   Information Security at the Fleet and Industrial Supply\n          Center, Sigonella, Detachment Bahrain\n\x0cAdditional Copies\nTo obtain additional copies of this report, contact the Secondary Reports Distribution\nUnit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nCNO                           Chief of Naval Operations\nDASN (M&B)                    Deputy Assistant Secretary of the Navy (Management and\n                                Budget)\nFISCSI                        Fleet and Industrial Supply Center, Sigonella\nNOFORN                        Not Releasable to Foreign Nationals\n\x0c                                  INSPECTOR GENERAL\n                                   DEPARTMENT OF DEFENSE \n\n                                    400 ARM Y NAV Y DR IVE \n\n                             AR LI NGTON , VIR GINIA 22202-4704 \n\n\n\n\n\n                                                                         November 3, 2009\n\nMEMORANDUM FOR NAVAL INSPECTOR GENERAL\n\nSUBJECT: Information Security at the Fleet and Industrial Supply Center, Sigonella,\n          Detachment Bahrain (Report No. D-2010-005)\n\n\nWe are providing this report for review and comment. This is the first in a series of\naudits on Army and Navy ship maintenance contracts. We considered management\ncomments on a draft of this report when preparing the final report.\n\nDOD Directive 7650.3 requires that all recommendations be resolved promptly. We\nredirected draft Recommendation l.a to the Director of Contracting, Fleet and Industrial\nSupply Center, Sigonella, Detachment Naples and renumbered it as Recommendation 2.c.\nWe added a new Recommendation l .a, which is directed to the Special Assistant for Naval\nInvestigative Matters and Security. We also revised Recommendation l.b. We request that\nthe Special Assistant for Naval Investigative Matters and Security respond to\nRecommendation l.a and l.b, and the Director of Contracting, Fleet and Industrial Supply\nCenter, Sigonella, Detachment Naples, respond to Recommendation 2.c by November 24,\n2009.\n\nIf possible, please send a .pdf file containing your comments to audacm@dodig.mil. Copies\nof the management comments must contain the actual signature of the authorizing official.\nWe are unable to accept the /Signed/ symbol in place of the actual signature. If you arrange\nto send classified comments electronically, you must send them over the SECRET Internet\nProtocol Router Network (SIPRNET).\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at (703)\n604-9071 (DSN 664-9071).\n\n\n\n\n                                              Deputy Assistant Inspector General\n                                              Acquisition and Contract Management\n\x0c\x0cReport No. D-2010-005 (Project No. D2009-D000AS-0163.000)                    November 3, 2009\n\n\n               Results in Brief: Information Security at the\n               Fleet and Industrial Supply Center, Sigonella,\n               Detachment Bahrain\n\nWhat We Did                                                 \xef\x82\xb7   initiate corrective actions to ensure that\n                                                                all future classified documents are\nThis is the first in a series of reports on Army                properly marked.\nand Navy ship maintenance contracts. The\noverall objective was to determine whether              The Director of Contracting, Fleet and Industrial\ncontracts providing ship repair and maintenance         Supply Center, Sigonella, Detachment Naples\nto the U.S. Army operations in Kuwait and               (FISCSI Det Naples) ensure that FISCSI Det\nNavy operations in Bahrain and United Arab              Bahrain:\nEmirates were properly managed and\nadministered. We are issuing this report in                 \xef\x82\xb7\t\t provide training to personnel at FISCSI\norder to address an information security issue at               Det Bahrain on DOD and Navy\nthe Fleet and Industrial Supply Center,                         information security policies to ensure\nSigonella, Detachment Bahrain (FISCSI Det                       that personnel know how to handle\nBahrain). Subsequent reports will address the                   classified information,\naudit objective.\n                                                            \xef\x82\xb7\t\t review all contract files to ensure that\nWhat We Found                                                   they do not contain classified\nWe identified internal control weaknesses in                    information and documentation and take\ncontrolling and securing classified information                 appropriate action to control and secure\nat FISCSI Det Bahrain.                                          any classified information found, and\n\nU.S. Navy personnel did not follow DOD                      \xef\x82\xb7\t\t investigate the compromise of classified\nRegulations on handling classified                              information\ndocumentation. Specifically, the Office of the\nChief of Naval Operations (CNO) did not                 Management Comments and\ncorrectly mark the documents with a                     Our Responses\ndeclassification date, and FISCSI Det Bahrain\n                                                        The Deputy Assistant Secretary of the Navy\npersonnel stored classified documents in\n                                                        (Management and Budget) responded for the\nunclassified files that they did not safeguard or\n                                                        Special Assistant for Naval Investigative\nmark properly.\n                                                        Matters and Security, and the Director of\n                                                        Contracting, FISCSI Det Naples. We redirected\nWhat We Recommend                                       and renumbered draft Recommendation 1.a to\nThe Special Assistant for Naval Investigative           2.c. We added a new Recommendation 1.a and\nMatters and Security:                                   revised draft Recommendation 1.b. We request\n                                                        that the Special Assistant for Naval\n    \xef\x82\xb7\t\t determine who the original                      Investigative Matters and Security and FISCSI\n        classification authority is and provide         Det Naples provide comments on the final\n        this information to FISCSI Det Bahrain          report by November 24, 2009. See the\n        and                                             recommendations table on page ii.\n\n\n                                                    i\n\x0cReport No. D-2010-005 (Project No. D2009-D000AS-0163.000)             November 3, 2009\n\nRecommendations Table\n\nManagement                       Recommendations            No Additional Comments\n                                 Requiring Comment          Required\nSpecial Assistant for Naval      1.a and 1.b\nInvestigative Matters and\nSecurity\nDirector of Contracting, Fleet   2.c                        2.a and 2.b\nand Industrial Supply Center,\nSigonella, Detachment Naples\n\nPlease provide comments by November 24, 2009\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nIntroduction\t                                                                     1\n\n\n       Objectives                                                                 1\n\n       Background                                                                 1\n\n       Review of Internal Controls                                                2\n\n\nFinding. Classified Information in the Fleet and Industrial Supply Center, \n\nSigonella, Detachment Bahrain                                                     3\n\n\n\n       Management Actions                                                         5\n\n       Management Comments on the Finding and Our Response                        6\n\n       Recommendations, Management Comments, and Our Response                     6\n\n\nAppendices\n\n       A. \tScope and Methodology                                                 10 \n\n       B. \tAction Memorandum to Fleet and Industrial Supply Center, Sigonella,   \n\n           Detachment Naples                                                     11 \n\n\nManagement Comments\n\n       Office of the Assistant Secretary of the Navy (Management and Budget)     12 \n\n\x0c\x0cIntroduction\nObjectives\nThis is the first in a series of reports on Army and Navy ship maintenance contracts. The\noverall objective was to determine whether contracts providing ship repair and\nmaintenance to the U.S. Army operations in Kuwait and Navy operations in Bahrain and\nUnited Arab Emirates were properly managed and administered. The audit series will\ninclude reports on the contracts we reviewed in the Fleet and Industrial Supply Center,\nSigonella, Detachment Bahrain (FISCSI Det Bahrain); U.S. Naval Sea Systems\nCommand; and the U.S. Army. See Appendix A for a discussion of our scope and\nmethodology.\n\nThe audit team identified an information security issue at FISCSI Det Bahrain. We\nissued a memorandum (Appendix B) identifying the seriousness of this issue and required\naction; however, FISCSI Det Bahrain personnel had not implemented the necessary\nimprovements. Although the original objective did not include information security, we\ndetermined that further notification and reporting was warranted. The potential impacts\nof not protecting classified information on U.S. national security are severe. We are\nissuing this report to address the information security issues at FISCSI Det Bahrain in a\ntimely manner.\n\nBackground\nThe Naval Supply Systems Command\nThe Naval Supply Systems Command manages supply chains that provide material for\nNavy aircraft, surface ships, submarines, and their associated weapons systems. The\nCommander, Fleet and Industrial Supply Centers reports to the Naval Supply Systems\nCommand.\n\nCommander, Fleet and Industrial Supply Centers\nUnder the Naval Supply Systems Command; the Commander, Fleet and Industrial Supply\nCenters, functions as a global provider of integrated supply and support services to fleet\nunits and shore activities. The Commander, Fleet and Industrial Supply Centers, is\nresponsible for establishing common policies and procedures of the worldwide network\nof the seven Fleet and Industrial Supply Centers, including the Fleet and Industrial\nSupply Center, Sigonella, Italy.\n\nFleet and Industrial Supply Center, Sigonella\nThe Fleet and Industrial Supply Center, Sigonella (FISCSI) is located at the Naval Air\nStation Sigonella, Italy, and provides logistics, business, and support services to the\nNavy, Coast Guard, and Military Sealift Command, as well as other joint forces. FISCSI\ndelivers direct logistical support to various locations including Dubai and Jebel Ali within\nthe Emirate of Dubai and Bahrain. FISCSI oversees the FISCSI, Detachment Naples\n(FISCSI Det Naples).\n\n\n                                             1\n\n\x0cFlSCSI Det Naples\nFISCSI Det Naples has detachments in London, Bahrain, and the Emirate of Dubai\nto provide contracting support for U.S. forces throughout Europe, the Mediterranean,\nAfrica, and Southwest Asia.\n\nFISCSI Det Bahrain\nFISCSI Det Bahrain is located at the Naval Support Activity in Manama, Bahrain. The\nmission of FISCSI Det Bahrain is to provide fleet support for U.S Navy, Military Sealift,\nand Coast Guards ships operating in the 5th Fleet area of responsibility as well as base\nsupport for naval installations in the Middle East. FISCSI Det Bahrain reports to FISCSI\nDet Naples. The workforce at FISCSI Det Bahrain consists of 3 military service\nmembers, 5 U.S. civilians, and 12 foreign nationals. FISCSI Det Bahrain administers\nsome of the Navy contracts in our audit sample.\n\nReview of Internal Controls\nDOD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006, requires DOD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We determined that FISCSI\nDet Bahrain did not have adequate internal controls for controlling and securing\nclassified information. Implementing the recommendations in the Finding will help to\nprevent compromising classified information at FISCSI Det Bahrain. We will provide a\ncopy of the report to the senior official responsible for internal controls at Naval Supply\nSystems Command, FISCSI Det Naples, and to the Special Assistant for Naval\nInvestigative Matters and Security.\n\n\n\n\n                                             2\n\n\n\x0cFinding. Classified Information in the Fleet\nand Industrial Supply Center, Sigonella,\nDetachment Bahrain\nFISCSI Det Bahrain personnel stored classified documents in unclassified files that they\ndid not safeguard or mark properly because FISCSI Det Bahrain personnel did not follow\nDOD Regulations on handling classified information. In addition, Chief of Naval\nOperations (CNO) officials did not properly mark the documents with a declassification\ndate. As a result, foreign nationals and other employees had access to classified\ninformation. Unauthorized access to classified documentation can compromise national\nsecurity and increase risk to the warfighter.\n\nSafeguarding of Classified Information\nDOD Regulation 5200.1-R, \xe2\x80\x9cInformation Security Program,\xe2\x80\x9d January 1997 states that\neveryone granted access to classified information is responsible for properly protecting\ninformation in their possession or control. The Regulation states that we must protect\nclassified information at all times by storing it in an approved device or facility or in the\npossession of an authorized individual.\n\nFISCSI Det Bahrain officials provided the contract files for contracts N49400-03-H-\nA005-5024 and N49400-04-H-A501-6098 on May 25, 2009. According to FISCSI Det\nBahrain contracting officials, they retrieved the contract files from an unsecured storage\nfacility and placed them in the unsecured conference room. The contract files provided\nto us were issued from FY 2004 through FY 2009. The Deputy Officer In Charge,\nFISCSI Det Bahrain, stated that none of the contract files were locked in an approved\ncontainer or storage facility because the contracts were unclassified.\n\nOn May 28, 2009, we found a CNO memorandum and an e-mail classified\nConfidential/NOFORN (not releasable to foreign nationals) in contract file N49400-03-\nH-A005-5024. When we discovered the items, we attempted to inform the Officer in\nCharge, FISCSI Det Bahrain. However, he was not available, so we informed the FISCSI\nDet Bahrain legal counsel. The legal counsel stated that FISCSI Det Bahrain personnel\nwould review the contract file page by page and start an investigation into the matter.\nFISCSI Det Bahrain officials secured the contract file N49400-03-H-A005-5024 in a\nsafe.\n\nOn May 31, 2009, we discovered another CNO memorandum and an e-mail classified\nConfidential/NOFORN in contract file N49400-04-H-A501-6098. We again informed\nthe FISCSI Det Bahrain legal counsel and the Officer in Charge, FISCSI Det Bahrain.\nWe provided them with the entire contract file for their review. FISCSI Det Bahrain\nsecured the classified documentation in contract file N49400-04-H-A501-6098 in a room\nwith a lock on the door.\n\n\n\n\n                                              3\n\n\n\x0cFISCSI Det Bahrain personnel stated that the documentation we discovered is old, may\nbe declassified, and is public knowledge. We informed the FISCSI Det Bahrain Officer\nin Charge that FISCSI Det Bahrain should still treat the documents as classified\ninformation because there was not a date for declassification on the documents.\nAdditionally, the FISCSI Det Bahrain Officer in Charge did not create the documents and\ndoes not have the authority to determine if the documents should be declassified. The\nprocesses and procedures FISCSI Det Bahrain personnel use to secure and protect\nclassified information are ineffective. Unless Navy officials identify and correct the\nfaults in those procedures, we believe that similar failures will happen in the future,\nwhich could jeopardize U.S. national security.\n\nWe obtained a copy of the memorandum and e-mails included in contract file N49400-\n04-H-A501-6098. Although we requested a copy of the classified documents in contract\nfile N49400-03-H-A005-5024 several times, the FISCSI Det Bahrain Command Security\nOfficer shredded the classified documents without providing us a copy for our audit\ndocumentation review and analysis.\n\nMarking of Classified Information\nThe CNO issuing official and FISCSI Det Bahrain officials did not properly mark the\nclassified memoranda and e-mails with a declassification date or identify the source of\nclassification of the information in the document. DOD 5200.1-R requires markings that\ninclude a declassification date and identify the source of the classified information.\n\nBecause CNO officials issued the memoranda, they were responsible for correctly\nmarking them. CNO officials did not mark the memoranda; therefore, we could not\ndetermine who the original classification authority was for declassifying the information.\nDOD 5200.1-R states that the Secretary of Defense, the Secretaries of the Military\nDepartments, and the designated original classification authority are the only personnel\nthat can declassify information.\n\nWe reviewed the e-mails included with the memorandum in contract file N49400-04-H-\nA501-6098 and determined that FISCSI Det Bahrain did not properly mark the e-mails.\nOne e-mail contained \xe2\x80\x9cderived from\xe2\x80\x9d and \xe2\x80\x9cdeclassify on\xe2\x80\x9d information. However, Navy\npersonnel did not properly mark the forwarding e-mails. In addition, we could not\ndetermine whether the Navy personnel on the e-mails sent them on a secure network.\n\nAccess to Classified Information\nFISCSI Det Bahrain has many foreign nationals working in its contracting office.\nBecause the documents we found were marked \xe2\x80\x9cConfidential/NOFORN,\xe2\x80\x9d foreign\nnationals should not have access to these documents. In the contract file for N49400-04-\nH-A501-6098, we found modifications signed by a contracting official that is a foreign\nnational. We determined that because a foreign national signed the contract\nmodifications, they had access to the classified documentation included in that file.\nTherefore, the classified information is potentially compromised.\n\n\n\n\n                                            4\n\n\n\x0cDOD 5200.1-R states that when an actual or potential compromise of classified\ninformation occurs, the head of the activity or activity security manager should promptly\ninitiate an inquiry into the incident. According to the Secretary of the Navy Manual\n5510.36, \xe2\x80\x9cDepartment of the Navy Information Security Program,\xe2\x80\x9d June 2006, when a\ncompromise of classified information occurs, the commanding officer or security\nmanager should initiate a preliminary inquiry within 72 hours of the incident. If it is\ndetermined during the preliminary inquiry that a compromise of classified information\noccurred, the commanding officer or security manager should contact the local Naval\nCriminal Investigative Service office in a timely manner. Once we notified the Officer in\nCharge, FISCSI Det Bahrain that we found the classified information, he should have\ninitiated an inquiry into the incident and informed the Naval Criminal Investigative\nService. However, FISCSI Det Bahrain officials did not initiate an inquiry into the\nincident and did not notify the Naval Criminal Investigative Service.\n\nDuring our exit briefing on June 4, 2009, we again informed the Officer in Charge,\nFISCSI Det Bahrain, that he needed to take action to secure this information and to\nreduce the risk of future security issues.\n\nOn July 17, 2009, we issued an action memorandum to FISCSI Det Naples with a copy to\nthe Special Assistant for Naval Investigative Matters and Security (Appendix B). We\nrecommended that FISCSI Det Naples personnel initiate an inquiry into this issue in\naccordance with DOD Regulation 5200.1-R and that they inform us of the actions taken\nto address the issue.\n\nOn July 28, 2009, we received a memorandum from the FISCSI Det Bahrain Command\nSecurity Officer stating that the Regional Security Director in Sigonella gave him\npermission to destroy the documents because the documents were nearly 4 years old and\nall of the information contained in each document is now public knowledge. The\nCommand Security Officer stated in the memorandum that the documents were destroyed\non July 7, 2009, in accordance with the instructions of the Regional Security Director.\n\nManagement Actions\nFISCSI Det Bahrain officials took minimal action to train personnel on the proper\nhandling of classified information. According to the FISCSI Det Bahrain Officer in\nCharge, FISCSI Det Bahrain officials are developing a policy on handling classified\ninformation but have not scheduled any corrective training. The Officer in Charge stated\nthat they reviewed the two contract files containing the documents to ensure that they did\nnot contain classified documentation but did not check the other contract files in storage.\n\nAfter we issued the action memorandum, the Special Assistant for Naval Investigative\nMatters and Security, CNO, ordered a preliminary inquiry into this compromise of\ninformation. The Special Assistant for Naval Investigative Matters and Security\ndetermined that the preliminary inquiry completed by the FISCSI Det Bahrain Command\nSecurity Officer was insufficient and asked the Security Officer to complete it again.\n\n\n\n\n                                             5\n\n\n\x0cConclusion\nWe discovered classified documents that FISCSI Det Bahrain did not safeguard, which\nincluded e-mails FISCSI Det Bahrain officials did not mark. We determined that foreign\nnational(s) had access to the classified documents, which constitutes a possible\ncompromise of classified information. FISCSI Det Bahrain must investigate this\ncompromise. In addition, FISCSI Det Bahrain officials should provide training on the\nhandling of classified information. In order to ensure that other FISCSI Det Bahrain\ncontract files do not contain classified documentation, FISCSI Det Bahrain personnel\nshould review all files that are under their control. The classified documentation we\ndiscovered includes memoranda that CNO officials did not mark As a result, the Special\nAssistant for Naval Investigative Matters and Security needs to investigate the lack of\nmarkings on the CNO memoranda to determine why they were not marked to keep it\nfrom happening in the future.\n\nManagement Comments on the Finding and Our\nResponse\nDirector of Contracting, Fleet and Industrial Supply Center,\nSigonella, Detachment Naples Comments\nThe Deputy Assistant Secretary of the Navy (Management and Budget) (DASN [M&B]),\nresponding for the Director of Contracting, FISCSI Det Naples, agreed with the Finding.\nHe stated that the classified information in the contract file was stored incorrectly and\nwas unnecessarily included in the contract file. The DASN (M&B) also explained that\nFISCSI Det Bahrain does not award or work with classified contracts.\n\nOur Response\nWe commend the DASN (M&B) for acknowledging that the classified information in the\ncontract file was stored incorrectly and was unnecessarily included in the contract file.\nWe appreciate his explanation that FICSI Det Bahrain does not award or work with\nclassified documents.\n\nRecommendations, Management Comments, and Our\nResponse\nRevised, Redirected, Renumbered, and Added Recommendations. As a result of\ncomments from the DASN (M&B), we revised, redirected, and renumbered draft\nRecommendation 1.a. to Recommendation 2.c. We directed Recommendation 2.c to the\nDirector of Contracting, FISCSI Det Naples, to reflect who is responsible for performing\nthe investigation. We added new Recommendation 1.a directed to the Special Assistant\nfor Naval Investigative Matters and Security to determine the original classification\nauthority for the memoranda so that the original classification authority can perform a\ndamage assessment. In addition, because CNO issued classified memoranda, we revised\nRecommendation 1.b to the Special Assistant for Naval Investigative Matters and\n\n\n\n                                            6\n\n\n\x0cSecurity to initiate corrective actions that will ensure that all classified information is\nproperly marked.\n\n1. We recommend that the Special Assistant for Naval Investigative Matters and\nSecurity:\n\n   a. Determine who the original classification authority for the unmarked Chief of\nNaval Operations memoranda is and coordinate with the Fleet and Industrial\nSupply Center, Sigonella, Detachment Naples so the original classification authority\ncan conduct the damage assessment.\n\n   b. When Recommendation 1.a is complete, initiate corrective actions to ensure\nthat all future classified documents are properly marked.\n\nSpecial Assistant for Naval Investigative Matters and Security\nComments\nThe DASN (M&B), responding for the Special Assistant for Naval Investigative Matters\nand Security, agreed with Recommendations 1.a and 1.b. However, the DASN (M&B)\nstated that CNO provides implementing policy in the Department of the Navy. He\nfurther stated that CNO is not responsible for conducting an investigation into the\npotential compromise of classified material and determining its effect on national\nsecurity. The DASN (M&B) also stated that the original classification authority should\nconduct the damage assessment.\n\nThe DASN (M&B) stated that CNO agrees with the Finding that the documents were\nincorrectly marked. He further stated that CNO conducted a preliminary review of the\nclassified documents in question. The DASN (M&B) also stated that CNO asserted that\nthe classified documents in question were declassified as soon as the host nation was\nnotified in September 2005. In addition, he stated that on May 7, 2009, CNO generated\ninterim guidance across the Department of the Navy commands regarding the proper\nmarking of classified documents and instructed them to conduct a random sampling of\noriginally and derivatively generated documents. Finally, the DASN (M&B) stated that\nthe CNO annual Security Manager\xe2\x80\x99s Seminar emphasizes proper marking of classified\ndocuments, including e-mails.\n\nOur Response\n We could not determine the original classification authority for the information.\nAccording to DOD 5200.1-R, the original classification authority is responsible for\nperforming a damage assessment. Because CNO issued the memoranda that were not\nmarked, we are asking the Special Assistant for Naval Investigative Matters and Security\nto determine who the original classification authority for the memoranda was so the\noriginal classification authority can perform a damage assessment. We revised\nRecommendation 1.b to initiate corrective actions once Recommendation 1.a is complete.\nWe request that the Special Assistant for Naval Investigative Matters and Security\nprovide comments on the new Recommendation 1.a and revised Recommendation 1.b.\n\n\n\n                                               7\n\n\n\x0c2. We recommend that the Director of Contracting, Fleet and Industrial Supply\nCenter, Sigonella, Detachment Naples ensure that the Fleet and Industrial Supply\nCenter, Sigonella, Detachment Bahrain:\n\n       a. Provide training to personnel in the Fleet and Industrial Supply Center,\nSigonella, Detachment Bahrain on DOD and Navy information security policies to\nensure that personnel know how to handle classified information.\n\n      b. Review all contract files to ensure that they do not contain classified\ninformation.\n\n       c. Investigate this potential compromise of classified information.\n\n\nDirector of Contracting, Fleet and Industrial Supply Center,\nSigonella, Detachment Naples Comments\nThe DASN (M&B), responding for the Director of Contracting FISCSI Det Naples,\nagreed with Recommendations 2.a and 2.b. The DASN (M&B) stated that the FISCSI\nAssistant Security Officer conducted training on the proper handling of classified\ninformation and DOD and Department of the Navy information security policies on\nAugust 10, 2009. In addition, the DASN (M&B) stated that the FISCSI Det Bahrain\nSecurity Manager provided training on the proper handling of sensitive information on\nSeptember 15, 2009. He further stated that FISCSI Det Bahrain schedules security\ntraining monthly and holds a security discussion during weekly meetings.\n\nThe DASN (M&B) stated that U.S. Government staff with appropriate clearances began\nreviewing contract files starting with the ship repair and military exercise contracts\nbecause they have the most potential to contain classified documentation. The DASN\n(M&B) also stated that they will review all contracts starting with the most recent. He\nfurther stated that historic contract files are properly stored and only authorized\nindividuals can access the files. The DASN (M&B) stated that FISCSI Det Bahrain has\ntwo Navy reservists reviewing the contract files and requested additional support. He\nalso stated that FISCSI Det Bahrain target completion date for reviewing all contract files\nis February 28, 2010.\n\nIn additional comments, the DASN (M&B) stated that the contracts containing the\nclassified memoranda were immediately stored in an approved storage location. The\nDASN (M&B) also stated that FISCSI is unable to respond to the assertion that CNO\nincorrectly marked the classified documentation and that the FISCSI Det Bahrain\nongoing investigation will attempt to determine at what point these documents were\nstored in the unclassified contract files.\n\nOur Response\nFISCSI Det Naples should provide the results of its review of all contract files to the\nDOD Office of Inspector General upon completion in February 2010. As a result of the\n\n\n                                             8\n\n\n\x0cDASN (M&B) comments; we revised and renumbered draft Recommendation 1.a to 2.c.\nWe also redirected Recommendation 2.c to FISCSI Det Naples because it is the\ncommand\xe2\x80\x99s responsibility to investigate the compromise of information. FISCSI should\nalso expand its investigation to include how and when the classified documentation ended\nup in the contract file. We request that FISCSI Det Naples personnel provide us the\nresults of their investigation. We request that the Director of Contracting, FISCSI Det\nNaples provide comments on Recommendation 2.c.\n\n\n\n\n                                           9\n\n\n\x0cAppendix A. Scope and Methodology\nWe conducted this performance audit from March 2009 through September 2009 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nThis is the first in a series of reports on Army and Navy ship maintenance contracts. We\nannounced this audit in March 2009 and judgmentally selected 17 FISCSI Det Bahrain\ncontracts, 15 Army contracts, and 7 Naval Sea Systems Command technical instructions,\nvalued at $96,839,887. We selected this sample from a universe of 2,934 contracts\nvalued at $171,901,765. We visited FISCSI Det Bahrain in Manama, Bahrain, from May\n25 to June 4, 2009. The results of the review of these contracts are not included in this\nreport, but follow on reports will address issues regarding these contracts.\n\nWe intend to meet the stated objective in the follow on audit projects. The scope of this\nproject is limited to the information security issues we discovered at FISCSI Det Bahrain.\nWe will issue a separate report on our review of the contract files at FISCSI Det Bahrain\nin Project No. D2009-D000AS-163.002.\n\nFor this report, we reviewed classified guidelines contained in DOD Regulation 5200.1-R\nand the Secretary of the Navy Manual 5510.36. We also interviewed officials at FISCSI\nDet Bahrain, officials at FISCSI Det Naples, and the Special Assistant for Naval\nInvestigative Matters and Security.\n\nUse of Computer-Processed Data\nWe used computer-processed data from the Federal Procurement Data System-Next\nGeneration to help choose our judgmental sample of task orders for the audit. However,\nwe did not rely on this data to support this Finding. Therefore, we did not perform a\nreliability assessment of the computer-processed data.\n\nPrior Coverage\nNo prior coverage has been conducted on classification issues in FISCSI Det Bahrain\nduring the last 5 years.\n\n\n\n\n                                           10 \n\n\x0cAppendix B. Action Memorandum to Fleet\nand Industrial Supply Center, Sigonella,\nDetachment Naples\n\n                                                         GENERAL\n                                         OEPARTMENT OF DEFENSE\n                                            4()() ARMY NAVY DRIVE\n                                       ARLINGTON . VIAGINIA 222Q2-47()4\n                                                                                       JUL 1 7 axJ9\n     MEMORM\'OUM FOR DIRECTOR, FLEET Al\\\'O lNDUSTRlAL SUPPLY CENTER\n                       SIGONELLA, NAVAL REGIONAL CONTRACTING\n                       DETACHMENT, NAPLES\n\n     SUBJECT: Information Security Issue Identified During the Audit of Army and Navy Small\n              Boats Maintenance Projects (project No. D2009-DOOOAS-016J.(lOO) (U)\n\n            \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 In accordance with DoD Regulation 52oo.I-R " Information Security Program,"\n     dated January 1997, chapter 10, we are notifying Fleet and Industrial Supply Center (FISC)\n     Sigonclla Naval Regional Contracting Detachment Naples about a potential compromise of\n     classified information. This could present a threat to national security.\n\n           :IIII__     Ouring fieldwork in Manama, Bahrain, from May 22 to June 5, 2009, we visited\n     FISC, Bahrain to review a sample of contracting files and found classified documentation in two\n     contracting files. In one file, we found an Office of the Chief of Naval Operations (CNO)\n     memorandum, dated June 21, 2005, which is classified "ConfidentiaVNOFORN" with an e-mail\n     attached with the same marking. The other filc also contained a CNO memorandum. FISC\n     provided the files to us in an unsecure conference room and had stored them in an unsecure\n     facility. In addition, third-country nationals had access to this documentation, as they had signed\n     off on information in the contracting files. The Navy did not properly mark the document with a\n     declassification date. We informed the Commander, FISC, Bahrain of the release of this\n     information; we were not satisfied that he took appropriate action to immediately secure the\n     information. DoD Regulation 52oo.1-R provides guidance on proper storage, marking, and\n     investigation of the possible compromise of classified information.\n\n            1III!__ On at least two subsequent occasions, we have requested the status of actions\n     taken and have not received satisfactory answers. We recommend that FISC Sigonella Naval\n     Regional Contraeting Detachment Naples initiate an inquiry into this issue in accordance with\n     DoD Regulation 52oo.I-R. We request that FISC Sigonella Naval Regional Contracting\n     Detaehment Naples inform us of the actions taken to address the issue.\n\n\n\n\n                                   ~~       Richard B. Jolliffe\n                                      Assistant Inspector General\n                                  Acquisition and Contract Management\n\n     cc: Special Assistant For Naval Investigative Matters And Security\n\n\n\n\n                                                  11 \n\n\x0cOffice of the Assistant Secretary of the Navy (Research,\nDevelopment and Acquisition) Comments\n\n\n\n\n                                                             THENAV Y\n                                  OF F ICE OF TH E ASS IST AN T SEC RETAR Y\n                               (RESE AR CH. DEVELOPMENT AND ACQUISITION )\n                                            1000 NAVY PEN TAGON\n                                        WASHINGTON DC 203150 - 1000\n\n\n                                                                         Oc t ober 6. 2009\n\n        MEMORANOUM FOR DEPARTMENT OF DEFENSE-INSPECTOR GENERAL\n                      ARLINGTON. VIRGIN IA\n\n        S UBJECT: Department of Defense Inspector General Draft Report ln fonnation Security\n                  at the Fleet and Industrial Supply Center. Sigonella, Detachment Bahrai n\n                  (Projeci No. D2009-DOOOAS-OI63.(00)\n\n                The Department of the Navy (DoN) hereby endorses and forwards the allached\n        Naval Supp ly Systems Command response to subject draft report. The response provides\n        detailed comments regarding the findings and recommendations contai ned in the subject\n        draft report. The Navy\'s response should be incorporated into the final DODIG report.\n\n                  If you have any questions pertaining to this memo or its attac hments. please refer\n        them to                                             or at ,.._...illlIIIl\n\n                                    Click to add JPEG file\n                                                           puty Assistant Secretary of the Navy\n                                                          (Management and Budget)\n\n        Attachments:\n        As slated\n\n\n\n\n                                                                   12\n\x0c    NAVY COMMENTS TO DODIG DRAFT REPORT OF 10 SEPTEMBER 2009 \n\n   ON INFORMATION SECURITY AT THE FLEET AND I NDUSTRIAL SUPPLY \n\n              CENTER, SIGONELLA DETACHMENT BAHRAIN \n\n                     (D2009-DOOOAS -0163 . 000) \n\n\n\nFinding 1: \t Clas sified Information in the Fleet and\n             I ndu strial Supply Center, Detachment Bahrain\n\nFleet and Industrial Supply Center, Sigonella (FISCSI),\nDetachment Bahrain personnel stored classif ied documents in\nunclassified files that they did not safeguard or mark properly\nbecause FISCSI Detachment Bahrain personnel did not follow DOD\nRegulations on handling classified information.   In addi t ion,\nChief of Naval Operations (CNO) officials did not properly mark\nthe documents with a declassification date.   As a result,\nforeign nationals and other employees had access to classified\ninformation.  Unauthorized access to c lassified documentation\ncan compromise national security and increase risk to the war\nfighter.\n\nDON Response: Concur. The classified memorandum was incorrectly\n                    Click to add JPEG file\nfiled in the contract file.   This classified memorandum was not\nnecessary for the specific contract and did not need to be kept\nin t he contract fil e. FISCSI Detachment Bahrain does not award\nc lassified contracts, nor do they work with any classified\ncontracts.\n\nRecommendations:\n\n2. We recommended that the Director of Contracting, Fleet and\nIndustrial Supply Center $igonella Regional Naval Regional\nContracting Detachment Naples ensure that the Fleet and\nIndustrial Supply Center Sigonella Detachment Bahrain:\n\n      a . Provide tra ining to personnel in the Fleet and\nIndustrial Supply Center Bahrain o n DOD and Navy information\nsecurity policies to ensure that personnel know how to handle\nc lassified information.\n\nDON Response : Concu r. The Fleet and I ndustria l Supply Center,\nSigonella ( FISCSI) Assistant Security Of ficer conducted training\non 10 August 2009, on the proper handling of classified\ninformation and DOD/DON information security policies. The\nFISCSI Detachment Bahrain Security Manager conduc ted training on\n15 September 2009, on the proper handling of se nsitive\ninformation . Security train i ng is scheduled monthly to stress\n\n                                                      Enc losure ( I )\n\n\n\n\n                                          13\n\x0c    importance of safeguarding classified information.    In\naddition, a security reminder/discussion is prov i ded during\nweekly Work-In-Process (W IP) meetings. Action is considered\ncomplete for reporting purposes.\n\n     b. Review all contract files to ensure that they do not\ncontain classi fied information.\n\nDON Response : Concur . United States Government staff (with\nappropriate clearance) have started reviewing the contract\nfiles, beginning with those with the greatest potential of\nconta ining misfiled classified documents - ship repair contracts\nand contracts supporting military exercises. Contracts awarded\nmost recently will be reviewed fir st, fol l o wed by older\ncontracts, until all have been reviewed.\n\nHistoric contract files in storage have been prope rly secured\nand can o nly be accessed by indiv i duals with appropriate\nclearance. As required, contract fi l es needing to be removed\nfrom storage will be rev i ewed by cleared i ndividuals for\nclassified material before release to uncleared entities or\nindividuals.\n                       Click to add JPEG file\nFISCSI Detachment Bahrain currently has t wo u . s. Navy Reservists\nassisting in the review of the contract files, and has requested\nadditional Reserve support for the upcoming months.     Based on\nworkload and the quantity of contract files in inventory, our\nestimated t arget completion date f or reviewing a ll contract\nfiles is 28 February 2010.\n\nAdditional Comments:\n\nUpon discovery of the classified memos, the contract files were\nimmediately secured in an approved storage location, FISCSI\nDetachment Bahrain\'s Secure Internet Protocol Router Network\n(SIPRNET) room, which is certified to store documents up to\nSECRET classification.\n\nFISC Signonella is unable to respond to the assertions that CNO\nmismarked the c lassified documents, as FISCSI is not the\nOriginal Classifying Authority, (OCA).    The F I SCSI Detachment\nBahrain ongoing investigation will attempt to determine at what\npoint these c lassi fied documents were stowed in the unc l assified\ncontract files.\n\n\n\n\n                                                      Enclosure ( I )\n\x0c                           DEPART MENT OF T H E NAVY\n                        OF F I CE OF THE ASSIS TANT SECRE TAR Y \n\n                    ( RESEARCH . DEVELOPMENT AND A COUIS ITlON ) \n\n                                  1000 NAVY PENTAGO N \n\n                               WASHINGTON DC 203t10\xc2\xb7 1 000 \n\n\n\n                                                             October 7, 2009\n\nMEMORANDUM FOR DEPARTMENT OF DEFENSE-INSPECTOR GENERAL\n              ARLINGTON, VIRGINIA\n\nSUBJECT: \t Department of Defense In spector General Dmft Report lnformat ion Security\n           at the Fleet and industrial Supply Center. Sigonella. Detachment Bahrain\n           (Project No. D2009-DOOOAS-O I63 .(00)\n\n        The Department of the Navy (DoN) hereby endorses and forwards the auached\nSpeci al Assistant for Naval Investigative Matters & Security response to subject draft\nreport for recommendations I a and I b. This response is in addition to the aval Suppl y\nSystems Command response prov ided by memorandum on 6 October 2009 which\naddressed recommendations 2a and 2b. Together. these two responses provide detai led\ncomments regarding the find ings and recommendations contai ned in the subject draft\nreport. The Navy\'s response should be incorporated into the final nODIG report.\n\n                                                 : memo or its attachments, please re fer\n\n                                      at ! jJJ\' 17\nthem to\n                         Click to add JPEG  file\n                                             . "\n                                             . / /L= r ""\'<\'l\n                                                                .        ,\n                                            Ga    A. Broadwell\n                                                PT, SC, USN\n                                             Deput y Ass istant Secretary of the Navy\n                                               (Management and Budget)\n\nAttachments:\nAs staled\n\n\n\n\n                                                        15\n\x0c                                                                       Final Report \n\n                                                                        Reference\n\n\n\n\n\n\n         Assistant for Naval Investigative Matters and Security\n       COMMENTS TO DODIG DRAFT REPORT OF 10 SEPTEMBER 2009\n   ON INFORMATION SECURITY AT THE FLEET AND INDUSTRIAL SUPPLY\n               CENTER, SIGONELLA DETACHMENT BAHRAIN\n                      (D2009-DOOOAS-0163.000)\n\n\nRecommendations:\n\n1. ~ We recommend that the Special Assistant for Nava l\nInvestigative Matters and Security:\n\n     a . ~ Investigate this potent i al compr omise of               Revised,\ninformation and determine its effect on national security.           Redirected, and\nDON Response:  CNO (N09N) provides implementing policy within the    Renumbered\nDepartment of the Navy. N09N is not an operational command.     It   Recommendation\nis the responsibility of the cogni z ant command to conduct the      as 2.c.\ninvestigation into the potential compromise of classified\nmaterial and determine its effect on nat i onal security, not CNO\n(N09N).  Additiona lly, any damage assessment is to be conducted\nby the Original Classif i cation Authority vice CNO (N09N).\n\n     h. ~ Determine why the Chief of Naval Operations                Revised\nmemoranda were i ncorrectly marked and in i tiate corrective\nactions.                Click to add JPEG file\nDON Response: CNO (N09N) concurs with the finding that the\ndocuments were incorrectly ma r ked however, upon receipt of the\nPreliminary Inquiry from the cognizant command, the originators\nare obligated to initiate corrective actions.    We conducted a\npreliminary review of the documents in question that were\nprovided by DOD IG and it is our assertion they were declassified\nas soon as notification of host nation was made in September\n2005.\n\nAdditional Comments :\n\n     We have, as r ecent l y as 7 May 2009, generated i nterim\nguidance to all Department of the Navy commands regarding the\nproper marking of classified documents and instructed them to\nconducted a random sampling of originally and derivatively\ngenerated documents . The proper marking of classified documents,\nto include email, is emphasized during our annua l Security\nManager\'s Seminar.\n\n     The recommended findings should be redirected to the Fleet\nand Industrial Supply Center, Sigonella Detachment Bahrain with\noversight by Headquarters, Naval Supply Systems Command.\n\n\n\n\n                                                    Enclosure (I)\n\n\n\n\n                                         16\n\x0c\x0c'